[bourgoin]

If the incentive systems are designed correctly, maybe the dancing and box-checking can result in a near-optimal state. I think most of us here share the notion that hardening systems up-front is the most cost-effective way in the long run, but that companies tend not to do so due to a myopic view of security as a short-term expense rather than a long-term investment.

I read a post with an interesting idea recently: entities are currently treating customer data a an asset, whereas they should be treating it as a liability. If the regulatory incentives are set up such that customer data is a liability, companies will find it most efficient to buy insurance. And no successful insurance company will offer coverage without performing their due diligence. If the hardening itself is not the cost center, but rather the insurance premiums, then then end result may be companies doing infosec the right way, just because it's the most cost-effective thing to do.